More steam!

Menu

Transparent Evangelism no longer Transparent

The following is a commentary on the company, not their service. A friend of mine emailed me in the afternoon regarding some whitewashing and sent me a few links; I guess this was just bad timing because when I got it; I was in a very sour mood… which quickly took a turn for the worse. Thanks Ravi, but you totally ruined my day. :(

Teh Spiel

Three years ago, I had a bit of a spat with a company called Passpack (going as PassPack back then) for spamming my blog and another as well as several others with those links now dead. The co-founder, Tara, tried her best to defend the spamming on my comments by calling it “Evangelism”, but I was left unconvinced. We continued the discussion on their blog, on a post called Transparent Evangelism on March 6th (the trackback to that entry is still on my post). “In the name of transparency, we’ve opened a discussion on our own blog” said Tara. Alas, the transparency regarding their own marketing practices at least has since ended it seems because the post has been quietly deleted.

Opaque Evangelism: Or how to clean up bad publicity

I have no idea when the whitewashing happened, but luckily, the Web Archive stored the post, albeit with severe CSS issues as is usually the case with Archive entries. I’ve taken the liberty of taking a screenshot in case the Archive is unavailable.

Once it's online, it's there forever

In my followup review of the service, Francesco Sullo made a comment admitting to leaving the download.com review himself and asking me to tone it down a bit because the little elves were “frightened by all this agression“. This turned out to be a bit of lie because, although my review was in March, at least one of the little elves wasn’t frightened enough to avoid continuing the spamming evangelism 8 months later :

Really?

That wasn’t a “review” as one can plainly see, but it did help the ratings (one of which included a 1-star) and the company calls this “Evangelism”? Please.

The act of deleting Transparent Evangelism conveying negative feedback on their blog and breaking their pledge to take my feedback and other comments on the post into consideration during their following escapades in “Evangelism” has shown their commitment to transparency is demonstrably hollow.

This wouldn’t bother me as much if weren’t for the company’s continued use of the word “Transparency” on their blog like that somehow makes this faux-piety to one’s own company beyond reproach. Tara’s own words on my original post: “as the founder of PassPack, I wanted to respond and hope you’ll allow me to do so publicly“. I certainly allowed her to do that and in the comments on Transparent Evangelism, she added “If I’m making mistakes, I’m certainly not trying to hide them. That’s transparency” (emphasis mine).

Wow.

Well, she did take down the post to hide said mistakes while mine remained and that makes her company fair game for this thrashing…

Transparency ≠ suppression of dissent.

…and that’s regardless of degree, source, tone and age of said dissent.

Tara mentioned in the Transparent Evangelism post that one of the criteria for leaving comments is always identifying themselves as being part of Passpack as a matter of transparency. But if they’re willing to delete entire posts on their own blog, how far can we trust that transparency? Since October they’ve moved their user feedback to Facebook from UserVoice. Considering how much time these people invest in social media and how easy it is to “clean the wall” and block certain commenters on Facebook, I’m forced to wonder if this was an attempt to better control negative feedback (I’m not talking about on technical stuff, although that’s always a possibility, but company practices).

I haven’t kept close tabs with this company and even completely forgot about them until the email so how many legitimate criticisms have been similarly removed since then or before? How many flippant “Passpack sucks” or similar comments have they seen and how have they dealt with those?

We’ll never know.

If anyone from Passpack comes across this post and wonders why I wrote this now all of a sudden : You guys just showed up on my naughty radar while I was having a bad day. Sucks for you.

Full disclosure + Personal rant

I’ve stopped using Passpack after my initial review long ago and I don’t know how the software performs now. So I can’t comment on the technical merits.

I’m still of the firm belief that third-party password management is still not a good idea no matter how secure the encryption since it stilly relies on availability… thus an internet connection. They’ve been transparent about some of the technical issues like their host getting hacked (BTW balls for coming forward with that), but once again that brings into question the availability.

Then there’s the problem with compatibility and responsibility for login failures can’t always be resolved as this poor fellow discovered (I can practically hear the tumbleweeds).

Mind you, I really need to have secure passwords since some of my client jobs do involve applications that accept and store Social Security numbers, credit card numbers, birthdates, phone numbers, full names and addresses. Also, on some systems I use, connectivity is intranet only an indeed many have just a command-line interface.

If you have too many passwords to remember, then don’t remember them!

My work and personal life I use my my tried and true method of mnemonic password generation with an added set of personal parameters for special character permutations. I.E. An odd or even number of vowels, consonants, apparent syllables and particular use each will trigger the use of a different set of 2-3 special characters.

Using this method, I have successfully managed to hold on to 40+ strong passwords at a time with well over 15 of them that I need to change frequently due to regular use and will also use a different permutation depending on when I changed the password last. I don’t write any of these passwords down or otherwise “store” any of them anywhere (even encrypted) and the only original mnemonic and the method of encoding/decoding stays in my head. The passwords are all generated as needed when I need to use one or create anew. I also don’t use common phrases as mine are usually excerpts from old Sri Lankan nursery rhymes or sentences and fragments I liked from out-of-print books.

Your brain is so far the only hacker-proof storage solution.

Of course, none of these measures are of any use if someone can call me or otherwise employ social engineering and get my cooperation so common sense is really your best security measure.

As for people considering password managers for corporate situations: We’re not dealing with drones and people can’t be reduced to just a login ID and password. Sometimes you just have to know the people you’re dealing with on a personal level to take care of their security and other needs; be it people 4 users or 400. Hire some people! Get them involved! Don’t think about productivity only in terms of dollars!

If someone at work forgets their password, the first thing I do is get in touch with them personally (not phone, not email, not Skype) and walk (remember how we used to do that?) up to see if I can help them remember first and only then reset the password. If personal contact isn’t possible, I sandbox the system to let them do work, but then make them select a new password.

If I can’t meet them in person then all this is preceded by a conversation to make sure I’m speaking to the individual he/she claims to be.

Not just, “how ’bout them Nicks”, but “did you enjoy the trip to Barbados?”Wrong answer: “I sure did!”.Right answer: “Hey, I told you it was Manilla, remember?”

Not only does this encourage true communication and honest-to-God personal interaction with the people you’re working with, it also encourages understanding and cooperation.

And you know what’s even better than not having too many passwords? Not having as many disparate systems.

Behavioral changes are the first step in securing your online experience. It’s a lifestyle adjustment for sure, but for better digital self-reliance, I believe it’s absolutely necessary, especially in these times.

Post navigation

5 thoughts on “Transparent Evangelism no longer Transparent”

Hello, Passpack was a small company with the dream of protect privacy of the users creating a framework for privacy. We started with password in order to show that the technology was secure. When we had this accident, we were just funded and we were completely without experience. So we did a lot of mistakes. Just few months and it was clear that the company can not resist and in few months the company was again a startup of two people. From more than a year the company is just me. Our dream is dead years ago. Now, we have revenues, but they are just sufficient to mantain a service that our customers love. From a business point of view, the only thing to do is to turn-off the service, but from an ethical point of view I continue to support it because there isn’t a real alternative for our users. Thanks for your thoughts.

About your secure way to generate passwords (https://eksith.wordpress.com/2008/03/04/ultra-secure-passwords/) I would like to advise you to not do it. If the attacker is a cryptoanalyst and he catch two of your generated “super secure” passwords (for example, because you login into his websites) he can easily discover your method in minutes.

Sullo! Thanks for dropping by.
Sorry to hear about the company, but I hope all else is well. BTW, Good to hear evangelism is dropped.

I presume your advice comes from the impression that this is a variation on the book cipher. The method isn’t really a secret, since any decent attacker would attempt pattern matching as a first step.

Even if I were to enter two passwords on an attacker’s site, none of my passwords come from the same source.

The weakness in a book cipher is commonality. If the source is not known or even if it’s a phrase as you put in your Passpack is not LastPass post, “if you can not defend yourself, you need a big friend that can defend both of you”, if not made public, no attacker could figure out. Which incidentally would be turned into :

Search

Search

The short version…

A programmer and technology enthusiast destroys programming and technology. Welcome to the dichotomy of my existence...

Feel free to browse the experiments and pick up anything you may find useful. Or head over to the obligatory introduction. On a non-programming/technology note, you can also take a look at my cabin philosophy.

WARNING: I post a lot of code on this blog and some of it gets mangled by WordPress formatting. Please double-check for missing or extra quotes, backslashes, '<' and '>' transformed into '&lt;' and '&gt;' and other problems. All the code posted here has been verified to work before I post, except in cases where I explicitly mention that it's incomplete.